Signatures stored as information inside a "public key"/certificate?

Robert J. Hansen rjh at
Fri Jun 13 18:37:28 CEST 2008

bezna wrote:
> I'm having a disagreement with someone over this. From what I've
> read, signatures on a "public key" or rather, a certificate,
> including the self-signature, are stored as a packet on that key. The
> important point: This data (IE all the signatures made on your
> certificate) is encoded on the certificate within that block of ASCII
> armoured text/binary data when it is exported for someone else to
> import in their keyring.

Yes.  No.  Neither.

OpenPGP implementations are free to store data however they want.  The
GnuPG keyring file is just a sequence of OpenPGP octets and packets, but
there's no reason why it needs to be this way.  Honestly, I'd much
rather the data was stored in some kind of easily parseable format,
whether it be XML or a simple context-free grammar or what-have-you, but
that's neither here nor there.

It doesn't make any sense to talk about what's "stored on the keyring"
versus what's "stored on the certificate".  Neither is well-defined.
The only thing that's well-defined is the interoperability format.

If your question is really "how does GnuPG do this", well, that gets a
bit different.  GnuPG's keyring file is essentially a long chain of
certificates stored in the interoperability format.  If you want to
export a key, it just grabs the relevant part of the keyring, strips out
local signatures and other installation-specific data, and dumps that.
The preceding is a simplification, but as far as I understand it is
essentially accurate.  dshaw or wk will certainly correct me if I'm
wildly wrong, which has been known to happen from time to time.  :)

More information about the Gnupg-users mailing list